SCCM Software Update Monthly Patches

This can be applied for any products or operating systems you are patching with SCCM.

In a prior post we discussed patching the with a Baseline deployment. The intention of the Baseline is to bring all devices up to date to a certain point in time so that they can begin to receive the monthly cumulative updates as they are now released.

This post will serve as a tutorial for deploying patches manually each month, as opposed to using automatic deployment rules which would do all of this for you automatically.

In this tutorial I’m going to use Windows 7 patches as the example, but the same can be applied for any operating system or product.

First, we will start on the All Software Updates node, and create a search (that you should save as a Saved Search) that finds all Windows 7 x64 updates that aren’t expired, aren’t superseded, and were released this month (May 2017 in this example).

Next we will select all of the results from this search, and add them to a Software Update group so that we can deploy them.

Next we will go to the Software Updates Groups node and deploy the group we just created

On the Deployment Settings screen, we will choose to deploy the updates as required so that they are automatically installed, and I’ll leave the Detail Level at the default.

On the Scheduling screen we can choose our schedule for deploying the updates. Typically you will leave the time set to Client Local Time. Next we’ll choose when to make the updates available for users to install from the Software Center on their own time, then we’ll choose the Installation Deadline when the updates will automatically install on our devices. In my case, I want both to be As Soon As Possible.

On the User Experience screen, we’ll first select the level of notification the end user sees about this deployment. Typically for Software Updates, I choose to only show notifications for computer restarts.

Under Deadline Behavior if we check the boxes it will ignore maintenance windows for Software Update Installation and System Restarts. If you don’t have maintenance windows or, have maintenance windows and want to honor them, don’t check these boxes.

Under Device Restart behavior, we can choose whether we want the devices to reboot at all. If you want the devices to install updates but not reboot automatically, check the box for the type of devices you’re deploying the updates for (Windows 7 = Workstations)

Embedded devices box is checked by default which is fine, most people don’t use Embedded Devices but leaving it checked won’t hurt anything

The last box asks whether you want the system to evaluate if there are additional updates available after a restart has occurred. Sure why not!

The Alerts screen I can choose my level of alerting for compliance.

Download Settings. If a computer can’t find updates on Distribution Points within it’s boundary, can the computer go to a Distribution Point outside of it’s boundary to download updates? Also, if the computer can’t find updates on any DP, can it go over the internet to Microsoft Updates and download them?